CVE-2025-58337

CVE-2025-58337: Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode for doris-mcp-server MCP Server

Vendor Apache Software Foundation

Product Apache Doris-MCP-Server

Weakness CWE-284

Published November 5, 2025

Last update November 6, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).

Key dates

Disclosure timeline

November 5, 2025 CVE published

November 6, 2025 Record updated